Splunk Search

Getting Duplicate message when doing search for User ID (title)

nls7010
Path Finder

This is the search I used:
|rest /services/authentication/users splunk_server=local
|fields title
|rename title as user
|table user | sort user | dedup user

I wanted to get the user Id and then use that in another search that is my panel in a dashboard:
| rest /services/authentication/users splunk_server=local
| fields roles title realname
| rename title as username

When I create the drop down and then key in the first search above, it keeps giving me duplicate values and no listing comes in. Yet when I run it by itself in a search, it brings back what I need and doesn't give me the duplicate entries message. I wanted to use the results of this search to plug into the 2nd search.

Tags (2)
0 Karma

niketn
Legend

@nls7010 can you share the Simple XML code for Dropdown which is throwing Duplicate Values error? (Use the code button i.e. 101010 or Ctrl + K while posting code so that special characters do not escape.

Also better way to run the same query would be as follows:

| rest /services/authentication/users splunk_server=local 
| fields title 
| dedup title 
| rename title as user 
| sort user
| table user

For reference, following is a previous run anywhere example code of mine which would get the logged in User's Role and then show Apps and Dashboards in dropdown: https://answers.splunk.com/answers/639475/how-to-pass-a-dashboard-as-value-in-dropdown-of-an-1.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @nls7010 ,

It might not be the duplicate field but "fields for value" and "field for label" of your dropdown. Make sure that you have the same field name (her user) in "fields for value" and "field for label" or rename them accordingly

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...